American Standard is allegedly breached by RansomHub


American Standard, one of North America's leading kitchen and bathroom plumbing and fixture manufacturers, is claimed by the RansomHub cybercriminal cartel making it the first high-profile company to be claimed by the group in 2025.

The New Jersey-based commercial and residential kitchen and bath products brand was posted on the group’s dark leak blog over the weekend.

Very few details about the so-called attack is listed in the posting, which claims to have exfiltrated 400 GB of information from American Standard network servers.

ADVERTISEMENT

On Wednesday, the gang’s leak site shows a countdown clock with just over five days left on it – apparently the deadline for American Standard to negotiate a ransom payment in return for its purported stolen data.

American Standard RansomHub
RansomHub leak site. Image by Cybernews.

American Standard, which also produces brands Crane, Eljer, Fiat, Sanymetal, and Showerite under its name, has been a subsidiary of the Lixl Group, headquartered in Tokyo, since 2013.

Ironically, Grohe, a luxury German plumbing fixture brand – also a subsidiary of Lixl Group – was posted on the RansomHub leak site on Tuesday. The group further claims to have stolen 100GB of data from the company.

Besides Grohe, the Lixl Group also owns plumbing fixture brands DXV and INAX, which do not appear on group's victim blog.

No sample data was provided with either RansomHub listing, as is often customary when targeting big-name ransomware victims.

However, Lixl has an exclusive military discount program, which American Standard and Grohe are a part of, that allows US military members to purchase products directly from the manufacturer, which could lead to the exposure of sensitive data if accessed by hackers.

Grohe RansomHub
RansomHub leak site. Image by Cybernews.

Cybernews has reached out to both companies, as well as the Lixl Group, and is waiting for responses at the time of this report.

ADVERTISEMENT

Formed in 1929, American Standard generates over $2 billion in revenue annually, operates in 50 countries with about 5,000 employees, and manages 50 production facilities and two research & development centers worldwide, according to its website.

Grohe, which has offices in Germany and New York City for its American division, similarly has 6,000 employees and generates over $1.8 billion in revenue annually, ZoomInfo reports.

Paulius Grinkevicius Ernestas Naprys Niamh Ancell BW vilius
Don’t miss our latest stories on Google News

RansomHub kicks off 2025

RansomHub proved itself to be one of the most active ransomware gangs of 2024, said to be responsible for nearly a fifth of all ransomware victims, according to report from November. So far this year, the group has claimed 19 victims, including American Standard and Grohe.

Claiming its first victim last February, the group is believed to be of Russian origin, as it typically avoids targets in Russia, CIS countries, Cuba, North Korea, and China.

Marking its accelerated climb and dethroning the infamous LockBit ransomware group last fall, RansomHub is known for operating a ransomware-as-a-service (RaaS) model and using double extortion tactics, according to a 2024 joint bulletin by the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI, released last August.

According to the CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.

RansomHub Ransomlooker stats 2024
The Cybernews Ransomlooker tool shows the RansomHub group claimed close to 500 victims from its start in February 2024 through December 2024. Image by Cybernews.

RansomHub is an equal opportunist, targeting companies from multiple industry sectors, mainly in the US, including critical infrastructure, non-profit organizations, and private corporations.

The cartel’s most recently claimed victims include MetLife (although the company has adamantly denied a breach), the Government of Mexico, Kawasaki Motors Europe, and the multi-center Planned Parenthood of Montana.

ADVERTISEMENT

The group, acting as an affiliate, also became a major player in the aftermath of the massive UnitedHealth's Change Healthcare breach carried out by the ALPHV/BlackCat ransomware gang.

RansomHub was reported to have published a swath of files allegedly part of what was obtained during the Change Healthcare hack after ALPHV absconded with the entire $22 million ransom payment.

Other big names claimed by the gang last year include oilfield servicing company Halliburton, US drug store chain Rite Aid, gaming laptop-maker Clevo, and the high-profile Christie’s auction house.